httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45054] New: SSLVerifyClient optional_no_ca is broken
Date Wed, 21 May 2008 09:29:41 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45054

           Summary: SSLVerifyClient optional_no_ca is broken
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: bdauvergne@entrouvert.com


The documented behavious for the option 'optional_no_ca' is that if the return
code
of SSL_Accept valid this predicate:
ssl_private.h:#define ssl_verify_error_is_optional(errnum) \
ssl_private.h-   ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
ssl_private.h-    || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
ssl_private.h-    || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
ssl_private.h-    || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
ssl_private.h-    || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
then the error code in SSL_VERIFY_CLIENT should be "FAILED:(an error message)"
but "GENEROUS".

This functionality is very useful to use certificate as an user-centric
authentication token, why forbid it with this code from ssl_engine_io.c:
        if (ssl_verify_error_is_optional(verify_result) &&
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
        {
            /* leaving this log message as an error for the moment,
             * according to the mod_ssl docs:
             * "level optional_no_ca is actually against the idea
             *  of authentication (but can be used to establish
             * SSL test pages, etc.)"
             * optional_no_ca doesn't appear to work as advertised
             * in 1.x
             */
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                          "SSL client authentication failed, "
                          "accepting certificate based on "
                          "\"SSLVerifyClient optional_no_ca\" "
                          "configuration");
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
        }
look that we don't reset the result to something good like X509_V_OK.

And this code that return the value of SSL_VERIFY_CLIENT:
    if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs ==
NULL)
        /* no client verification done at all */
        result = "NONE";
    else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL &&
xs != NULL)
        /* client verification done successful */
        result = "SUCCESS";
    else if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo, "GENEROUS"))
        /* client verification done in generous way */
        result = "GENEROUS";
    else
        /* client verification failed */
        result = apr_psprintf(p, "FAILED:%s", verr);

    if (xs)
        X509_free(xs);

The third condition can never happen as vrc will be OK and vinfo == GENEROUS at
the same time.
Two approaches:
- reset the result code (we loss information), with a
  SSL_set_verify_result(ssl, X509_V_OK); inside the first extracted code.
- change third condition with this patch:
        -    else if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo,
"GENEROUS"))
        +    else if (ssl_verify_error_is_optional(vrc) && vinfo != NULL &&
strEQ(vinfo, "GENEROUS"))
 - bonus point would be to return the result code inside another variable and
   completely removing the optional_no_ca option, web app could just use
   optional and choose actions in function of SSL_VERIFY_CLIENT == FAILED and
   the error code.

What do you think ?


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message